b'      Department of Homeland Security\n\n\n\n\n     Information Technology Management Letter for the\n    Transportation Security Administration Component of\n        the FY 2012 Department of Homeland Security\n                 Financial Statement Audit\n\n\n\n\nOIG-13-78                                       April 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n\n                                    April 18, 2013\n\n\nMEMORANDUM FOR:              Dr. Emma Garrison-Alexander\n                             Chief Information Officer\n                             Transportation Security Administration\n\n                             David Nicholson\n                             Chief Financial Officer\n                             Transportation Security Administration\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     InformationfTechnologyfManagementfLetterfforfthef\n                             TransportationfSecurityfAdministrationfComponentfoffthef\n                             FYf2012fDepartmentfoffHomelandfSecurityfFinancialf\n                             StatementfAudit\n\nAttached for your action is our final report, InformationfTechnologyfManagementfLetterf\nforfthefTransportationfSecurityfAdministrationfComponentfoffthefFYf2012fDepartmentfoff\nHomelandfSecurityfFinancialfStatementfAudit.ffThe independent accounting firm KPMG\nLLP (KPMG) performed the Department of Homeland Security\xe2\x80\x99s financial statement\naudit as of September 30, 2012, and prepared this information technology (IT)\nmanagement letter.ff\n\nKPMG is responsible for the attached IT management letter dated December 20, 2012,\nand the conclusion expressed in it. We do not express an opinion on DHS\xe2\x80\x99 financial\nstatements or internal controls or conclusions on compliance with laws and regulations.\nThe DHS management concurred with all recommendations.\n\nConsistent with our responsibility under the InspectorfGeneralfAct, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Sharon Huiswoud, Director,\nInformation Systems Audit Division, at (202) 254-5451.\n\x0c                                 KPMG LLP\n                                 Suite 12000\n                                 1801 K Street, NW\n                                 Washington, DC 20006\n\n\n\n\nApril 4, 2013\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nTransportation Security Administration\n\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2012, and the related statements of net cost, changes in net\nposition, and custodial activity, and combined statement of budgetary resources for the year then\nended (referred to as the \xe2\x80\x9cfiscal year (FY) 2012 financial statements\xe2\x80\x9d). We were also engaged to\naudit the Department\xe2\x80\x99s internal control over financial reporting of the FY 2012 financial\nstatements. The objective of our audit engagement was to express an opinion on the fair\npresentation of the FY 2012 financial statements and the effectiveness of internal control over\nfinancial reporting of the FY 2012 financial statements.\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2012, included internal control deficiencies identified during our audit\nengagement that, in aggregate, represented a material weakness in information technology (IT)\ncontrols and financial system functionality at the DHS Department-wide level. This letter\nrepresents the separate limited distribution report mentioned in that report, of matters related to\nthe Transportation Security Administration (TSA).\nDuring our audit engagement, we noted certain matters in the areas of access controls,\nconfiguration management, security management, and contingency planning with respect to\nTSA\xe2\x80\x99s financial systems general IT controls (GITC) which we believe contribute to a DHS\nDepartment-wide material weakness in IT controls and financial system functionality. These\nmatters are described in the General IT Control Findings and Recommendations section of this\nletter.\nThe comments described herein have been discussed with the appropriate members of\nmanagement, or communicated through Notices of Findings and Recommendations (NFRs), and\nare intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to\nyou. We have not considered internal control since the date of our Independent Auditors\xe2\x80\x99\nReport.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key TSA financial systems within the scope of the FY 2012 DHS financial\nstatement audit engagement in Appendix A; a description of each internal control finding in\nAppendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls (comments not related to IT)\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0chave been presented in a separate letter to the Office of Inspector General (OIG) and the DHS\nChief Financial Officer.\nThis report is intended solely for the information and use of DHS management, DHS OIG, U.S.\nOffice of Management and Budget, U.S. Government Accountability Office (GAO), and the\nU.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                                  Department of Homeland Security\n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n\n\n                 INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                        TABLE OF CONTENTS\n\n                                                                                              Page\n\nObjective, Scope, and Approach                                                                 1\n\nSummary of Findings and Recommendations                                                        2\n\nGeneral IT Control and Financial System Functionality Findings and Recommendations             3\n\n   Findings                                                                                    3\n\n        Related to IT Financial Systems Controls                                               3\n\n           Configuration Management                                                            3\n\n           Access Controls                                                                     3\n\n           Contingency Planning                                                                3\n\n           Security Management                                                                 3\n\n                 After \xe2\x80\x93 Hours Physical Security Testing                                       4\n\n                 Social Engineering Testing                                                    4\n\n        Related to Financial System Functionality                                              4\n\n   Recommendations                                                                             5\n\nApplication Controls                                                                           6\n\n\n                                            APPENDICES\n\nAppendix                                           Subject\t                                   Page\n\n            Description of Key TSA Financial Systems and IT Infrastructure within the Scope\n   A\t                                                                                          7\n            of the FY 2012 DHS Financial Statement Audit\n   B\t       FY 2012 Notices of IT Findings and Recommendations at TSA                          9\n\n            Status of Prior Year Notices of Findings and Recommendations and Comparison\n   C\t       to Current Year Notices of Findings and Recommendations at Transportation         11\n\n            Security Administration\n\n\n\n\n\n                   Information Technology Management Letter for the TSA\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\x0c                                   Department of Homeland Security\n\n                                Transportation Security Administration\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit the financial statements of DHS as of and for the year ended\nSeptember 30, 2012, we performed an evaluation of the general Information Technology (IT) controls\n(GITCs) at TSA and the U. S. Coast Guard (Coast Guard) (TSA\xe2\x80\x99s IT service provider for financial\nprocesses), to assist in planning and performing our audit engagement. The Coast Guard Finance Center\n(FINCEN) hosts key financial applications for TSA. As such, our audit procedures over GITCs for TSA\nincluded testing of the Coast Guard\xe2\x80\x99s FINCEN policies, procedures, and practices, as well as TSA\npolicies, procedures and practices at TSA Headquarters (HQ). The Federal Information System Controls\nAudit Manual (FISCAM), issued by the GAO, formed the basis of our GITC evaluation procedures. The\nscope of the GITC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of GITCs and the IT environment.\n\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit, we also performed technical security testing for key network and system\ndevices. The technical security testing was performed both over the Internet and from within select Coast\nGuard and TSA facilities, and focused on test, development, and production devices that directly support\nTSA\xe2\x80\x99s financial processing and key general support systems. Limited social engineering and after-hours\nphysical security testing was also included in the scope of the technical security testing.\n\nIn addition to GITC testing, application controls were tested for the year ending September 30, 2012,\nwhich were identified as key controls by the financial audit team.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 1\n\n\x0c                                   Department of Homeland Security\n\n                                Transportation Security Administration\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n                     SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2012, TSA took corrective action to address prior year IT control deficiencies. For example,\nTSA made improvements over its revalidation of user accounts for certain systems; strengthened\npassword parameters; and ensured administrators had their own unique login id and password. During\nFY 2012, we continued to identify IT general control deficiencies that impact TSA\xe2\x80\x99s financial data. In\naddition, based upon the results of our test work, we noted that TSA did not fully comply with the\nDepartment\xe2\x80\x99s requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA).\n\nIn FY 2012, our IT audit work identified nine IT findings, of which three were repeat findings from the\nprior year, and six were new findings. In addition, we determined that TSA remediated three IT findings\nidentified in previous years. These findings represent deficiencies in four of the five FISCAM key\ncontrol areas. Specifically the deficiencies were:\n\n    1.\t Unverified access controls through the lack of comprehensive user access privilege \n\n        recertifications;\n\n    2.\t Access control issues involving password complexity settings;\n    3.\t Lack of review of audit logs;\n    4.\t Poorly designed controls over new user access to the network and an individual financial system;\n    5.\t Lack of testing of restoration of backups; and\n    6.\t Physical security and security awareness issues.\n\nIn addition, we determined that the following deficiencies identified at the Coast Guard IT environment\nalso impact TSA financial data:\n\n    1.\t Inadequately designed and operating IT script change control policies and procedures;\n    2.\t Security management issues involving civilian and contractor background investigations;\n    3.\t Lack of consistent contractor, civilian, and military system account termination notification\n        process;\n    4.\t Physical security and security awareness issues; and\n    5.\t Procedures for role-based training for individuals with elevated responsibilities not fully\n\n        implemented.\n\n\nWe also considered the effects of financial systems functionality when testing internal controls since key\nCoast Guard financial systems that house TSA financial data are not compliant with FFMIA and are no\nlonger supported by the original software provider. Financial system functionality limitations add to the\nchallenge of addressing systemic internal control deficiencies, and strengthening the control environment\nat FINCEN.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and TSA financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in TSA\xe2\x80\x99s financial statements.\n\nWhile the recommendations made by us should be considered by TSA, it is the ultimate responsibility of\nTSA management to determine the most appropriate method(s) for addressing the deficiencies identified.\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 2\n\n\x0c                                    Department of Homeland Security\n\n                                 Transportation Security Administration\n\n                                Information Technology Management Letter\n                                           September 30, 2012\n\n            GENERAL IT CONTROL AND FINANCIAL SYSTEM FUNCTIONALITY\n\n                        FINDINGS AND RECOMMENDATIONS\n\n\nFindings:\n\nDuring our engagement to audit the FY 2012 DHS financial statements, we identified the following TSA\nIT and financial system control deficiencies. Our findings are divided into two groupings: 1) financial\nsystems controls and 2) IT system functionality.\n\nRelated to IT Financial Systems Controls:\n\nConfiguration Management\n\nThe Coast Guard\xe2\x80\x99s core financial system configuration management process controls are not operating\neffectively, and continue to present risks to TSA financial data confidentiality, integrity, and availability.\nFinancial data in the general ledger may be compromised by automated and manual changes that are not\nadequately controlled, documented, and tested. For example, the Coast Guard uses an IT scripting\nprocess to make updates, as necessary, to its core general ledger software to process financial data, and\nwe found inconsistencies of data within the script record documentation existed.\n\nAccess Controls\n\n\xe2\x80\xa2\t The Computer Access Agreement process for TSA employees has not been consistently implemented\n   and applied based on TSA policy.\n\xe2\x80\xa2\t Access review procedures for one key financial application, Electronic Time Attendance and\n   Scheduling (eTAS), does not include the review of all user accounts to ensure that all terminated\n   individuals no longer have active accounts; inactive accounts are locked; and privileges associated\n   with each individual are still authorized and necessary.\n\xe2\x80\xa2\t Password settings for one key financial application, eTAS, were not configured to enforce password\n   length or complexity.\n\xe2\x80\xa2\t New users obtained access to eTAS without all required training completed or new user access forms\n   completed as required by TSA policy.\n\xe2\x80\xa2\t Audit logs are not reviewed for inappropriate or unusual activity over eTAS.\n\nContingency Planning\n\n\xe2\x80\xa2\t Restoration testing of backup media over eTAS is not performed to ensure integrity and reliability of\n   data.\n\nSecurity Management\n\n\xe2\x80\xa2\t Formalized documented policies do not exist to ensure IT systems are properly evaluated for basic\n   requirements by the appropriate offices and levels of management prior to the system implementation\n   of eTAS.\n\xe2\x80\xa2\t During our after-hours physical security and social engineering testing, we identified exceptions in the\n   protection of sensitive user account information. The tables below detail the exceptions identified at\n   the locations tested.\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 3\n\n\x0c                                     Department of Homeland Security\n\n                                  Transportation Security Administration\n\n                                 Information Technology Management Letter\n                                            September 30, 2012\n\nAfter-Hours Physical Security Testing:\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects include physical access to media and equipment that\nhouses financial data and information residing on a TSA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which could be\nused by others to gain unauthorized access to systems housing financial information. The testing was\nperformed at TSA HQ.\n\n                 Exceptions Noted (1)                               Total Exceptions at TSA\n                                                                          HQ by Type\n                 Passwords (2)                                                    6\n                 Keys                                                             1\n                 Personally Identifiable Information (PII) (3)                    3\n                 Unlocked Laptop                                                  4\n                 External Drive, Other Media, etc.                                2\n                 Total Exceptions at TSA HQ                                      16\n                 (1) There were cases of multiple exceptions in a single workspace, but the type\n                     of exception was only noted as 1 exception. For example, one cubicle had\n                     multiple passwords, but this was only recorded as 1 exception.\n                 (2) Attempts to login to the systems with the identified passwords were not\n                     performed. However, we assumed that the identified passwords were valid\n                     passwords. Also includes one password for a debit card account.\n                 (3) Includes one health form containing sensitive PII.\n\nSocial Engineering Testing:\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\n  Total Called              Total Answered               Number of employees who provided their user ID\n                                                                        and password\n\n       45                           15                                                3\n\nRelated to Financial System Functionality:\n\nWe noted that financial system functionality limitations are contributing to control deficiencies, inhibiting\nprogress on corrective actions impacting TSA. These functionality limitations are preventing the TSA\nfrom improving the efficiency and reliability of its financial reporting processes. Some of the financial\nsystem limitations lead to extensive manual and redundant procedures to process transactions, verify\naccuracy of data, and to prepare financial statements. Systemic conditions related to financial system\nfunctionality include:\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 4\n\n\x0c                                   Department of Homeland Security\n\n                                Transportation Security Administration\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n\xe2\x80\xa2\t Financial systems functionality limitations are preventing the TSA from establishing automated\n   processes and application controls that would improve accuracy, reliability, and facilitate efficient\n   processing of certain financial data such as:\n    -   Maintaining adequate posting logic transaction codes to ensure that transactions are recorded in\n        accordance with generally accepted accounting principles; and\n    -   Tracking detailed transactions associated with intragovernmental business and eliminating the\n        need for default codes such as Trading Partner Identification Number that cannot be easily\n        researched.\n\nRecommendations:\n\nWe recommend that TSA take the following corrective actions:\n\n\xe2\x80\xa2\t Work with the DHS Chief Financial Officer (CFO), DHS Chief Information Officer, and Coast Guard\n   HQ to ensure the following planned corrective actions take place in a timely manner:\n    -   Continue to provide training and update the procedures and tools if necessary, to better document\n        and review the Test Strategy Field among the script analysts and script approvers to promote\n        consistency.\n    -   Continue to conduct internal FINCEN Internal Control Branch (ICB) review over the script\n        process, software development life cycle, and configuration management policies and procedures.\n\xe2\x80\xa2\t Direct the Information Assurance Division to provide the Financial Management Division\xe2\x80\x99s ICB with\n   the Quarterly Delinquency Report for IT Security Awareness Training.\n\xe2\x80\xa2\t Direct the ICB to develop an internal control review on the delinquency rate of users who are beyond\n   the 60 day requirement per the TSA Information Assurance Handbook.\n\xe2\x80\xa2\t Ensure that Supervisors and Contracting Officer\xe2\x80\x99s Representatives within each program office in TSA\n   require each employee and contractor complete IT Security Awareness Training within 60 days of\n   being granted access to information systems, in accordance with the IT Security Policy Handbook.\n\xe2\x80\xa2\t Update the eTAS policy to state that license audits will be conducted on a quarterly basis.\n\xe2\x80\xa2\t Work with the airports once eTAS has marked its first year to conduct annual account recertifications\n   in order to be in compliance with DHS 4300A.\n\xe2\x80\xa2\t Enable the existing password complexity functionality within the eTAS application and require all\n   users to change their passwords to contain a combination of all the following: alphabetic (lowercase\n   and uppercase), numeric and special characters.\n\xe2\x80\xa2\t Adhere to the policy regarding KRONOS training certificates and access forms.\n\xe2\x80\xa2\t Instruct a TSA contractor to create a log parsing facility for the KRONOS Application logs which will\n   generate a list of User Account changes (Creation, Deletion, Modification of Rights and Privileges)\n   that occurred within the last month. This list of account changes will be compared against the\n   Account Request forms for that month. The review will be conducted by the System Owner or\n   designee.\n\xe2\x80\xa2\t Work with the TSA Security Operations Center (SOC) to send all log files from the Windows servers\n   as well as the ETA KRONOS application and web server itself to the TSA SOC where centralized\n   logging, log correlation, audit reduction, real-time review and analysis can be conducted on a regular\n   basis.\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 5\n\n\x0c                                   Department of Homeland Security\n\n                                Transportation Security Administration\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n\xe2\x80\xa2\t Perform annual testing to ensure the integrity and reliability of the backup media in compliance with\n   DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, the TSA\n   Information Assurance Handbook, and National Institute of Standards and Technology Special\n   Publication 800-53, revision 3.\n\xe2\x80\xa2\t Dedicate resources to execute elements of the IT Security Awareness Training program related to\n   social engineering, including conducting internal testing on a quarterly basis, conducting one-on-one\n   training with individuals failing social engineering attempts, taking administrative actions, if needed,\n   on a case-by-case basis in regards to social engineering, and conducting communications campaigns\n   via broadcasts warning against social engineering.\n\xe2\x80\xa2\t Ensure during New Employee orientation, the Office of Security will continue to advise new\n   employees to secure their cubicles/offices, to include sensitive information, when not at their\n   cubicles/offices.\n\xe2\x80\xa2\t Ensure that when personnel are reassigned, that individual\xe2\x80\x99s Business Management Office (BMO)\n   notify the Office of Security of their newly assigned office and floor. This will enable the Office of\n   Security to assign the appropriate access to the employee\xe2\x80\x99s Personal Identity Verification (PIV) card\n   and/or provide office keys to an individual with an office.\n\xe2\x80\xa2\t Coordinate efforts between the Office of Security and BMOs and/or the office occupant to ensure that\n   individuals authorized to have access to the office besides the office occupant are identified.\n\xe2\x80\xa2\t Implement appropriate monitoring controls around personnel separation procedures to ensure that\n   BMOs/Contracting Officer\xe2\x80\x99s Technical Representatives consistently notify the Office of Security in a\n   timely manner when individuals depart TSA so that their PIV card access can be terminated.\n\xe2\x80\xa2\t Implement appropriate monitoring controls around personnel separation procedures to ensure that\n   limited physical access is granted by Office of Security to authorized personnel only in accordance\n   with an official request.\n\xe2\x80\xa2\t Coordinate efforts between the TSA CFO and the TSA Chief Information Security Officer (CISO) to\n   develop a process to communicate potential financial systems to the CISO that would be used to\n   update the Trusted Agent Federal Information Security Management Act tool.\n\xe2\x80\xa2\t Implement appropriate monitoring controls around the evaluation of TSA systems and subsequent\n   documentation and management of POA&Ms and auditor-identified weaknesses to ensure that all\n   weaknesses are corrected.\n\xe2\x80\xa2\t Coordinate efforts between the TSA CFO and the TSA CISO to ensure that the inventory submitted to\n   the DHS CFO for CFO designated financial systems is complete and accurately represents the current\n   IT environment.\n\n\n                                     APPLICATION CONTROLS\n\nApplication controls were tested for the year ending September 30, 2012, and we found no issues.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 6\n\n\x0c                                                                               Appendix A\n\n                            Department of Homeland Security\n\n                         Transportation Security Administration\n\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                   Appendix A\n\nDescription of Key TSA Financial Systems and IT Infrastructure\n\nwithin the Scope of the FY 2012 DHS Financial Statement Audit\n\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n  Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                       Page 7\n\n\x0c                                                                                             Appendix A\n\n                                  Department of Homeland Security\n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nBelow is a high-level description of significant financial management systems included in the scope of\nthe engagement to perform the financial statement audit.\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor the United States Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in Virginia (VA) and is\nmanaged by the United States Coast Guard. The FINCEN is the Coast Guard\xe2\x80\x99s primary financial system\ndata center. CAS interfaces with other systems located at the FINCEN, including Financial and\nProcurement Desktop.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the\nCAS system and is hosted at the FINCEN in VA and is and managed by the Coast Guard.\n\nSunflower\n\nSunflower is a customized third-party commercial off-the-shelf product used for TSA and Federal Air\nMarshal Service property management. Sunflower interacts directly with the Office of Finance Fixed\nAssets module in CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the\nFINCEN in VA and is managed by the Coast Guard.\n\nMarkView\n\nMarkView is imaging and workflow software used to manage invoices in CAS. Each invoice is stored\nelectronically and associated to a business transaction so that users are able to see the image of the\ninvoice. MarkView is interconnected with the CAS system and is located at the FINCEN in VA and is\nmanaged by the Coast Guard.\n\nElectronic Time Attendance and Scheduling (eTAS)\n\neTAS is an automated and standardized labor management solution. The system provides an automated\nmeans to schedule employee work and leave hours, record hours worked / not worked, and provide bi\xc2\xad\nweekly time records to TSA\xe2\x80\x99s payroll provider, the National Finance Center. The system automates the\nworkforce management process to reduce the amount of time, effort, and associated cost required for\nentry of data.\n\n\n\n\n   Information Technology Management Letter for the Transportation Security Administration\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                          Page 8\n\n\x0c                                                                               Appendix B\n\n                            Department of Homeland Security\n\n                         Transportation Security Administration\n\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                   Appendix B\n\n FY 2012 Notices of IT Findings and Recommendations at TSA\n\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n  Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                       Page 9\n\n\x0c                                                                                                                     Appendix B\n                                                    Department of Homeland Security\n                                                 Transportation Security Administration\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\nFY 2012 NFR #                             NFR Title                            FISCAM Control Area       New Issue   Repeat Issue\nTSA-IT-12-01    Physical Security and Security Awareness Issues identified        Access Controls                         X\n                during enhanced security testing\nTSA-IT-12-02    Computer Access Agreements                                        Access Controls                         X\nTSA-IT-12-03    eTAS User Account Recertification                                 Access Controls           X\nTSA-IT-12-04    eTAS User Passwords                                               Access Controls           X\nTSA-IT-12-05    eTAS Restoration Testing of Media Backups                       Contingency Planning        X\nTSA-IT-12-06    eTAS Audit Logs                                                   Access Controls           X\nTSA-IT-12-07    eTAS System User Access                                           Access Controls           X\nTSA-IT-12-08    Configuration Management Controls Over the Coast Guard        Configuration Management                    X\n                Scripting Process\nTSA-IT-12-09    eTAS Pre-Implementation Deficiencies                            Security Management         X\n\n\n\n\n                   Information Technology Management Letter for the Transportation Security Administration\n\n                     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                         Page 10\n\n\x0c                                                                               Appendix C\n\n                            Department of Homeland Security\n\n                         Transportation Security Administration\n\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                   Appendix C\nStatus of Prior Year Notices of Findings and Recommendations\n   and Comparison to Current Year Notices of Findings and\n                  Recommendations at TSA\n\n\n\n\nInformation Technology Management Letter for the Transportation Security Administration\n\n  Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                      Page 11\n\n\x0c                                                                                                                              Appendix C\n                                              Department of Homeland Security\n                                           Transportation Security Administration\n                                          Information Technology Management Letter\n                                                     September 30, 2012\n\n                                                                                                                Disposition\n  NFR No.                                            Description                                       Closed                 Repeat\nTSA-IT-11-01     Markview \xe2\x80\x93 Password Settings                                                            X\nTSA-IT-11-02     Markview \xe2\x80\x93 Administrator Account                                                        X\n                 Physical Security and Security Awareness Issues Identified during Enhanced Security\nTSA-IT-11-03                                                                                                                    X\n                 Testing\nTSA-IT-11-04     TSA Computer Access Agreement Process                                                                          X\nTSA-IT-11-05     Sunflower and Markview User Account Recertifications                                    X\nTSA-IT-11-06     Configuration Management Controls Over the Coast Guard Scripting Process                                       X\n\n\n\n\n               Information Technology Management Letter for the Transportation Security Administration\n\n                 Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                     Page 12\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'